Online

Almost every time we go online, using our computers or mobile devices, each of us produces data in some form. This data may contain only oblique information about who we are and what we are doing, but when enough of it is aggregated, facts about us which we believed were private has the potential to become known to and used by others.

Many people are surprised to learn that data about their online habits, including the web sites and services they visit, are being collected and shared by marketers in order to target advertising. While such targeted advertising may provide more relevant information to consumers on which they can base their purchasing decisions, and while online advertising supports free online content for consumers, the lack of transparency about these practices has led to consumer apprehension and government concern.

As policy makers, regulators and consumer advocates press for significant reforms , there is an urgent need for companies using online technologies to demonstrate that they respect consumers’ right to privacy and their right to control the collection of information about them. Consumers need to feel confident that what is happening online is being done for them and not to them.

There is no across-the-board privacy law in the United States.

Instead, the U.S. has a “sectoral” approach comprised of multiple statutes that aim to protect privacy in specific industries. Accordingly, persons or entities that collect, use, share and or/retain personal information are subject to various privacy laws at both federal and state levels, including those that apply based on the nature of the data involved, such as financial, health or children’s data.

Section 5 of the Federal Trade Commission (FTC) Act, 15 U.S.C. § 45(a), prohibits and makes unlawful “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” The FTC enforces against companies that make privacy promises in privacy policies, but fail to keep those promises. That is, the companies collect, use, share or retain personal information in a way that is inconsistent with the representations they made in their privacy policies. The FTC has also enforced against companies whose privacy policies do not adequately inform consumers about the company’s actual practices.

There is a range of various federal laws governing the privacy of specific kinds of personal information.

In addition to law enacted at the federal level, states also have privacy and data security laws.

Most states have so-called “mini-FTC Acts” under which they have authority similar to that of the FTC to take enforcement actions in response to unfair or deceptive trade practices. This could include tracking consumers without proper notice or when a promise has been made not to track consumer behavior. A number of state attorneys general have been vigilant in enforcing against entities collecting personal information from consumers.

Forty-six states also have data security breach notification laws that require entities holding personal data to provide notices in the event of breaches of the security of that data, and those laws apply regardless of how the data may have been collected, meaning that data that is collected is subject to a security breach will trigger notification obligations. Certain states have specific data security obligations, as well.

*This material is not intended as legal advice and may not be relied on as such. It is presented here to outline the privacy laws aimed to protect consumers in the U.S.

Featuring the most influential minds of the tech policy world, CDT’s annual dinner, TechProm, highlights the issues your organization will be facing in the future and provides the networking opportunities that can help you tackle[...]

This program will feature leading academics and practitioners discussing the latest developments in privacy law. UC Berkeley Law faculty and conference panelists will discuss cutting-edge scholarship and explore ‘real world’ privacy law problems. Click here[...]

PROFESSOR GRAHAM GREENLEAF, Asia-Pacific Editor, Privacy Laws & Business International Report, will lead a roundtable on the countries of most interest to business in the Asia-Pacific region. Click here for more information.

The Privacy Laws & Business 27th Annual International Conference featured more than 40 speakers and chairs from many countries over 3 intensive days. At the world’s longest running independent international privacy event participants gained professionally by[...]

“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first[...]

“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first[...]